Traditionally, antivirus systems utilize the interception of systems calls in order to detect malicious programs. Detection can occur as early as the execution stage. For example, systems calls that are performing suspicious activities, such as the writing of an executable file to the Windows folder, can be intercepted. The originating executable can be identified as potentially (or likely) malicious. As a result, it is possible to block even unknown malicious programs, which is an advantage of current antivirus systems.
However, the ability to intercept system service calls in particular versions of the Windows operating system (OS) is limited by the Microsoft-implemented protections. Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel. PatchGuard prevents the use of the aforementioned traditional interception methods. PatchGuard tracks changes in a number of important objects of the kernel of the OS (for example, malicious changes caused by the operation of rootkits, or modifications by outside software, such as antiviruses) and take appropriate action if changes are detected. For example, PatchGuard can cause a system crash when detecting changes in the system calls table or the Interrupt Descriptor Table (IDT).
Existing solutions offer the ability to bypass the protections of PatchGuard and other similar solutions. For example, a hypervisor can be utilized to bypass PatchGuard to create interceptors of the kernel objects, without a system crash. Bypassing PatchGuard is therefore possible with the help of hardware virtualization. However, the creation of interceptors for kernel objects (for example, SSDT monitoring) requires knowledge of the internal structure of those kernel objects. The kernel object structure can vary depending on OS version. As a result, multiple versions of the interceptor are required to support multiple versions of an OS and its particular kernel object structure(s).
Therefore, there is a need for systems and methods for handling system calls that are effective, efficient, and implementable in multiple versions of operating systems having varying kernel object structures.